Helen Umberger

The definition of a software developer has changed in recent years. Traditionally, applications are developed by people who have specialized expertise in writing code. They have the training and the know-how to secure their apps. Today, apps can be developed by people without technical expertise. By using powerful no-code/low-code platforms, ChatGPT, and other generative AI tools, nontechnical people can create applications without actually writing code. Although it enables and empowers more people to create apps, it is also a cause for concern regarding security. Citizen developers are not trained to develop secure code. As such, application security professionals must pick up the responsibility of citizen programmers.

Now AppSec must pick up responsibility for all the new developers regardless of background, training, and—well, if they are even human. How can AppSec create security champions beyond their normal playground? How do we deliver security training beyond our normal annual “don’t fall for phishing emails” training that we roll out to our companies? How do we make every employee and AI security aware? Because soon all our employees will be potential programmers. The genie is out of the bottle and cannot be put back.

AppSec needs to ensure that code from nontraditional developers still goes through pipelines ...